×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
phant0m
Observer
Member since: ‎02-18-2025
‎02-19-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-18-2025
View All

Re: Using the map command with a subsearch not wor...

by in Splunk Search
‎02-19-2025 08:26 AM
‎02-19-2025 08:26 AM
Thank you @yuanliu for your insightful response! The csv file contains 3 columns, "id", "rule", and "Boolean". The id column just identifies which "rule" fired. The "id" column is just a text string to identify the rule that fired. The "rule" column is a Splunk rule (IE: "/user:" AND pwd)  that either contains a Boolean operator (AND, OR, NOT) or does not contain a Boolean operator. The "boolean" column just says TRUE or FALSE as to whether the preceding "rules" column contains a boolean.  I agree with you that the "map" command may not be the best command for what I am trying to do. So far this search string does generate results:  index="index1" [ inputlookup rules.csv | eval search = if(boolean="FALSE","\""+rule+"\"",rule) | return 10000 $search] | head 5 | fields _time index | eval time_token = "_time=" + _time , index_token = "index=" + index | stats values(time_token) AS time_token values(index_token) AS index_token | eval time_token=mvjoin(time_token," OR ") , index_token=mvjoin(index_token," OR ") | append [ inputlookup rules.csv | eval rule = if(boolean="FALSE","\""+rule+"\"",rule)] | eventstats first(time_token) AS time_token first(index_token) AS index_token | search rule=*   And shows a "time_token" and "index_token" for each time and index that contains a match to one of the rules in the csv file. My attempt with the "map" command was to then map the rule to the event in Splunk to identify which rule fired on which event. Do you have a suggestion for something that could work better?  ... View more

Using the map command with a subsearch not working

by in Splunk Search
‎02-18-2025 09:03 AM
‎02-18-2025 09:03 AM
Hello all, new poster here. I have a csv file with a column full of Splunk queries. I am trying to enrich my Splunk instance with the data from the csv file via the following command:        index="index1" [ inputlookup rules.csv | eval search = if(boolean=="FALSE","\""+rule+"\"",rule) | return 10000 $search] | fields _time index | eval time_token = "_time=" + _time | eval index_token = "index=" + index | stats values(time_token) AS time_token values(index_token) AS index_token | eval time_token=mvjoin(time_token," OR ") | eval index_token=mvjoin(index_token," OR ") | append [ inputlookup rules.csv | eval rule = if(boolean=="FALSE","\""+rule+"\"",rule) | return 10000 $rule] | eventstats first(time_token) AS time_token first(index_token) AS index_token | search rule=* | map maxsearches=100 search="search [| makeresults | eval search= \"$time_token$ $index_token$ $rule$\" | return $search] | eval rule_found=\"$rule$\", rule_id=\"$id$\""       The problem I am having is with the "map" command. everything after the second "search" is greyed out and not being included in the search. I have been able to get the following portion of the code working:      index="index1" [ inputlookup rules.csv | eval search = if(boolean=="FALSE","\""+rule+"\"",rule) | return 10000 $search] | fields _time index | eval time_token = "_time=" + _time | eval index_token = "index=" + index | stats values(time_token) AS time_token values(index_token) AS index_token | eval time_token=mvjoin(time_token," OR ") | eval index_token=mvjoin(index_token," OR ") | append [ inputlookup rules.csv | eval rule = if(boolean=="FALSE","\""+rule+"\"",rule) | return 10000 $rule] | eventstats first(time_token) AS time_token first(index_token) AS index_token | search rule=*       Thank you for any suggestions you have to get this search working.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-19-2025 11:46 AM